AMD chip flaws may have critical flaw, but report may be short-sell play

AMD’s Ryzen and Epyc server chips may be exposed to several vulnerabilities outlined in a report published today by Israel-based security research firm, CTS-Labs.

CTS-Labs claims to have found 13 critical security vulnerabilities in AMD’s chips. These are separate to the Spectre flaws disclosed by Google in January that also affected Arm and Intel chips, prompting an industry-wide patching effort.

In an unusual move, CTS-Labs only provided the research to AMD immediately prior to publishing the “AMDFLAWS” website.

CTS-Labs also published a white paper that describes each vulnerability’s impact without providing a proof of concept exploit that would allow other researchers to test the validity of the claims.

The short deadline widely differs from Google’s Project Zero already-hard vulnerability disclosure policy, which offers vendors a 90 days grace before it goes public with flaws.

In the case of Spectre and Meltdown side-channel vulnerabilities, Google extended its disclosure for Intel, Arm, AMD and cloud platform to six months in order to give vendors time to develop and deploy fixes. AMD and Intel now face class action lawsuits over their respective responses to the flaws.

“At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings,” the AMD spokesperson said.

The alleged vulnerabilities affect AMD’s Secure Processor, formerly known as Platform Security Processor, an ARM-based processor inside the main CPU that is responsible for processing sensitive data. A Google Cloud Security Team member recently reported a remote code execution flaw in one of its components.

CTS-Labs divides the alleged AMD vulnerabilities into four categories, including Masterkey, Ryzenfall, Fallout, and a set of backdoors it calls Chimera that it found in a chipset provided by a Taiwanese subsidiary of Asus. All of the flaws require the attacker have local access and administrative privileges in order to exploit them.

There is a possibility that CTS-Labs’ report is designed to depress AMD’s stock. Short-seller Viceroy Research released a report today claiming the AMD flaws are “difficult, some practically impossible, to patch” and argues the chip maker will be forced to file for bankruptcy.

CTS-Labs’s legal disclaimer also states that it may have a financial interest in stock movements of companies that it provides security reports on.

“Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports,” CTS-Labs says.

Despite this, CTS-Labs’s claims appear to be legit if somewhat overhyped, according to Jake Williams, CEO of security firm, RenditionSec. He noted in a tweet that even if CTS-Labs approach isn’t ethical, its claims can still be valid.

Ryan Shrout, principal analyst at chip-focussed research firm Shrout Research, said Viceroy’s research note should be taken with a grain of salt at least until AMD has had time to test the validity of CTS-Labs’ claims.

“Only giving AMD engineers and its security team a day or less time indicates to me that CTS does not in fact have the best interest of AMD, or AMD customers, at the forefront,” Shrout told CSO Australia in an email.

Security researcher Kevin Beaumont labelled CTS-Labs' disclosure as "reckless" and essentially a media hack, given the lack of proof-of-concept code and attacks in the wild.

"All of the bugs require administrator (or root) access to exploit. This is a significant mitigation," noted Beaumont who described CTS-Lab's FAQ as "worse than Buffy [the Vampire Slayer] fanfic".

"The only real public exploit here at the moment is a press exploit. This situation should not be happening."

The scenario is reminiscent of the unconventional disclosure of security flaws in heart implants manufactured by St Jude Medical in 2016. Muddy Waters, a short-seller, teamed up with security firm MedSec to find and report the flaws. Despite the financial motivation, the vulnerabilities were confirmed and prompted action from regulators.

Shrout reckons Viceroy's claim that AMD stock is worthless due to the flaws was "absurd".

"Given the recent history with Intel and the Meltdown security vulnerability, and the responsible way in which it was released and handled by security professionals and the afflicted companies, this new release, combined with a history of questionable financial dealings, the AMD-specific flaws here seem off base."

"To be clear however, this does not in and of itself mean the security concerns are invalid, and researchers inside and outside AMD need time for due diligence,” added Shrout.

CTS-Labs didn't respond to questions by CSO Australia by the time of publishing.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.